SMS4 - Northern Kentucky University

More documents

Recommendations

Info

$D:\MYDOCU~1\CH\ORIGIN~1\LECT\SUMMER\A\A-9192~1.NB Job 1$

4 JEREMY ERICKSON, TAYLOR UNIVERSITY 2.3. The SMS4 Key Schedule. We define a vector (Yi, Yi+1, Yi+2, Yi+3) ∈ (GF(2) 32 ) 4 as the key schedule input to round i. Denote the input key as (K0, K1, K2, K3). Then Y0 = K0 ⊕ 0xa3b1bac6 Y1 = K1 ⊕ 0x56aa3350 Y2 = K2 ⊕ 0x677d9197 Y3 = K3 ⊕ 0xb27022dc Also denote CKi = (cki,0, cki,1, cki,2, cki,3) ∈ (Z 8 2) 4 where cki,j = 28i + 7j mod 256, represented in binary. Then (5) RKi = Yi+4 = Yi ⊕ L ′ (S(Yi+1 ⊕ Yi+2 ⊕ Yi+3 ⊕ CKi)) 2.4. The SMS4 Round Function. We define a vector (Xi, Xi+1, Xi+2, Xi+3) ∈ (GF(2) 3 2) 4 as the input to round i, numbering the rounds from 0. Thus, (X0, X1, X2, X3) represents the plaintext. Then, (6) Xi+4 = Xi ⊕ L(S(Xi+1 ⊕ Xi+2 ⊕ Xi+3 ⊕ RKi)) The output of the last four rounds is reversed (at the word level) to generate the ciphertext. Thus, the ciphertext is (X35, X34, X33, X32). 3. Simplified SMS4 To provide for some basic exploration of the behavior of algebraic attacks over a larger number of rounds, as well as to provide a form of SMS4 that can be worked out by hand, this paper proposes a simplified SMS4 algorithm, which will be referred to from here as S-SMS4. The basic operations of S-SMS4 are identical to full SMS4, except that all operations on 128-bit blocks become operations on 32-bit blocks, operations on 32-bit words become operations on 8-bit “words”, and operations on 8-bit bytes become operations on 4-bit nibbles. 3.1. The S-SMS4 S-box. The S-box of SMS4 was designed from the description of the full SMS4 S-box in [9]. The new S-box is designed to transform a 4-bit vector to another 4-bit vector, but otherwise follows equation 1 plus reversing input and output. Thus, a smaller cyclic matrix is the basic A with its bottom row as the row vector for C. Thus, A = ⎡ ⎢ ⎣ 1 1 1 0 0 1 1 1 1 0 1 1 1 1 0 1 C = (1, 1, 0, 1) Accounting for the reversal and using the form of equation 2, however, we derive the following matrices in a similar manner: ⎡ 0 1 ⎢ A1 = ⎢ 1 1 ⎣ 1 1 1 1 0 1 0 1 ⎤ ⎥ ⎦ 1 0 1 1 ⎤ ⎥ ⎦
ALGEBRAIC CRYPTANALYSIS OF SMS4 5 00 01 10 11 00 1001 0001 1011 0010 01 1111 0110 1000 1101 10 0111 1100 0011 1110 11 0100 0000 1010 0101 Table 2. S-SMS4 S-box, in the same form as table 1 A2 = ⎡ ⎢ ⎣ 1 1 0 1 1 0 1 1 0 1 1 1 1 1 1 0 C1 = (1, 1, 0, 1) T C2 = (1, 0, 1, 1) T The inversion step is similar to full SMS4, except that we use GF(2 4 ) with an irreducible polynomial of ⎤ ⎥ ⎦ f(x) = x 4 + x 3 + x 2 + x + 1 This S-box can also be written as a table, see table 2. Because the S-SMS4 S-box only accepts one byte as input, which is two nibbles, we split X ∈ (GF(2)) 32 into (x1, x2) ∈ (GF(2) 4 ) 2 and write: S(X) = s(x1)s(x2) These parameters were chosen in attempt to model the properties of the full SMS4 S-box, providing a small field size over which inversion remains non-trivial. 3.2. The S-SMS4 Linear Diffusion Transformation. S-SMS4, like full SMS4, uses two linear diffusion transformations. Each function operates on x ∈ GF(2) 8 . For the round function, (7) L(x) = x ⊕ (x ≪ 2) ⊕ (x ≪ 6) For the key schedule, (8) L ′ (x) = x ⊕ (x ≪ 3) ⊕ (x ≪ 5) 3.3. The S-SMS4 Key Schedule. The key schedule for S-SMS4 is analogous to full SMS4, except that we must use shorter initial keys and CK values. The initial keys are as follows: Y0 = K0 ⊕ 0xa3 Y1 = K1 ⊕ 0xb1 Y2 = K2 ⊕ 0xba Y3 = K3 ⊕ 0xc6 Denote CKi = (cki,0, cki,1) ∈ (Z 4 2) 2 where cki,j = 11i + 3j mod 16, represented in binary. Then equation 5 holds. 3.4. The S-SMS4 Round Function. With the notations in this section, equation 6 holds for simplified SMS4. We denote S-SMS4 to have eight rounds, thus the ciphertext is (X11, X10, X9, X8).
Page 1 and 2: ALGEBRAIC CRYPTANALYSIS OF SMS4 JER
Page 3: ALGEBRAIC CRYPTANALYSIS OF SMS4 3 H
Page 7 and 8: ALGEBRAIC CRYPTANALYSIS OF SMS4 7 S
Page 9 and 10: ALGEBRAIC CRYPTANALYSIS OF SMS4 9 T
Page 11 and 12: ALGEBRAIC CRYPTANALYSIS OF SMS4 11
Page 13: ALGEBRAIC CRYPTANALYSIS OF SMS4 13

SMS4 - Northern Kentucky University

Create successful ePaper yourself

Delete template?

Save as template?